Google’s Chrome Browser Vulnerable to Hackers

September 4, 2008

When Google’s new browser Chrome launched by surprise yesterday, many fans of the famously "do no evil" search company rushed to download it. Who wouldn’t be wooed by its clean looks, fast performance, and pledges of security? So far, we think the browser delivers on the first two — but we’re not so sure on that last one. Word is hitting the Web that Chrome is vulnerable to a Safari-related security issue that Apple has already fixed, but Google has (apparently) not.

The exploit lets a hacker automatically download an executable malware file to the user’s computer. It’s then up to the user to actually click on the file to run it, but with a little encouragement (as shown in the proof-of-concept), that’s not difficult to do. Should you avoid Chrome? Not necessarily, but if you’re going to use it, use a typical common sense while online and don’t go crazy opening any file you like. The Internet’s still a dangerous place, you know.

Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference — to trick users into launching executables direct from the new browser.

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

In the proof-of-concept, Raff’s code shows how a malicious hacker can use a clever social engineering lure — it requires two mouse clicks — to plant malware on Windows desktops.

The Google Chrome user-agent shows that Chrome is actually WebKit 525.13 (Safari 3.1), which is an outdated/vulnerable version of that browser.

Apple patched the carpet-bombing issue with Safari v3.1.2.

Some Google Chrome early adopters using Windows Vista are reporting that files downloaded from the Internet are automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world.

See his full profile and disclosure of his industry affiliations. Send tips, ideas and feedback to naraine SHIFT 2 gmail.com

Recent Comments

Computer 2000 Services

Computer 2000 is prepared to service all of your computing needs. Whether it be PC, Macintosh, Networking or peripherals, Computer 2000 has specialized technicians and salespeople who are eager to help.
Computer 2000 has technicians, with over 25 years combined experience in the computer industry. They have all passed the computer industry’s A+ certification examination, which has qualified our company to be an A+ Authorized Service Center. Our techs hold over 50 certifications from over 20 manufacturers.
The benefit to your company is that the combination of our certified technicians, support from the leading manufacturers in the computer industry and reliable parts result in less down-time for your company since repairs will be done correctly the first time.

You may soon get to say a lot more on Twitter. The social media giant announced it is testing a longer character limit. The change will extend the current 140 characters to 280 for all languages except Japanese, Chinese and Korean. Users won’t see this change right away, though. Only a small percentage will be testing it at first, and according to the compan […]

Facebook has a "realistic opportunity" to enter China in 2018, Mizuho analyst James Lee wrote in a note to clients on Tuesday. Lee came to the conclusion after meeting "various industry contacts" in China during a recent trip. Facebook's recent appointment of an executive to manage relations with China will help the company "und […]